From grg@isabase.philol.msu.ru Wed Jun 16 06:22:12 1999
Return-Path: <grg@isabase.philol.msu.ru>
Received: from isabase.philol.msu.ru (isabase.philol.msu.ru [195.208.217.73])
	by hub.freebsd.org (Postfix) with ESMTP id 27A8D1544A
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 16 Jun 1999 06:21:08 -0700 (PDT)
	(envelope-from grg@isabase.philol.msu.ru)
Received: (from grg@localhost)
	by isabase.philol.msu.ru (8.9.2/8.9.2) id RAA00800;
	Wed, 16 Jun 1999 17:21:09 +0400 (MSD)
	(envelope-from grg)
Message-Id: <199906161321.RAA00800@isabase.philol.msu.ru>
Date: Wed, 16 Jun 1999 17:21:09 +0400 (MSD)
From: Grigoriy Strokin <grg@isabase.philol.msu.ru>
Reply-To: grg@isabase.philol.msu.ru
To: FreeBSD-gnats-submit@freebsd.org
Subject: segmentation fault running /usr/bin/fmt
X-Send-Pr-Version: 3.2

>Number:         12242
>Category:       bin
>Synopsis:       segmentation fault running /usr/bin/fmt
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 16 06:30:01 PDT 1999
>Closed-Date:    Wed Jun 6 03:18:58 PDT 2001
>Last-Modified:  Wed Jun 06 03:22:26 PDT 2001
>Originator:     Grigoriy Strokin
>Release:        FreeBSD 3.1-STABLE i386
>Organization:
Moscow University
>Environment:

	

>Description:

There is a file that, when passed as input to /usr/bin/fmt,
produces segmentation fault.

>How-To-Repeat:

uudecode this file:

begin 644 fmt.BUG.txt
M+G0@=&%G(&-O;F9I9W5R92!B;VQD("UF;VYT(%P@*BU#;W5R:65R+4)O;&0M
M4BU.;W)M86PM*BTQ,C`M*B!C<F5A=&5S(&$@=&%G(&YA;65D(&)O;&0@9F]R
M('1H92!T97AT('=I9&=E="!A;F0@87-S;V-I871E<R!A(&)O;&0@9F]N="!W
M:71H('1H870@=&%G+B!4:&4@<V-R:7!T('=I;&P@87!P;'D@=&AI<R!T86<@
M=&\@=&AE(&-H87)A8W1E<G,@:6X@=&AE('!R;VUP=',@<V\@=&AA="!T:&5Y
M(&%P<&5A<B!I;B!B;VQD9F%C92P@=VAE<F5A<R!T:&4@8V]M;6%N9',@86YD
M(')E<W5L=',@87!P96%R(&EN(&$@;F]R;6%L(&9O;G0N(%1H92!S96-O;F0@
M<&%R="!O9B!T:&4@<V-R:7!T(&9I;&QS(&EN('1H92!M96YU('=I=&@@='=O
M(&5N=')I97,N(%1H92!T;W`@96YT<GD@9&ES<&QA>7,@82!C87-C861E9"!S
M=6)M96YU('=I=&@@=&AE(&YA;65S(&]F(&%L;"!A<'!L:6-A=&EO;G,L(&%N
M9"!T:&4@8F]T=&]M(&5N=')Y(&ES(&$@8V]M(&UA;F0@96YT<GD@=&AA="!C
M875S97,@<FUT('1O(&5X:70@*&ET(&5X96-U=&5S('1H92!S8W)I<'0@(F1E
M<W1R;WD@+B(L('=H:6-H(&1E<W1R;WES(&%L;"!O9B!T:&4@87!P;&EC871I
M;VXG<R!W:6YD;W=S.R!W:&5N('=I<V@@9&ES8V]V97)S('1H870@:70@;F\@
M;&]N9V5R(&AA<R!A;GD@=VEN9&]W<R!L969T('1H96X@:70@97AI=',I+B!4
M:&4@8V%S8V%D960@<W5B;65N=2!I<R!N86UE9"`N;65N=2YF:6QE+FTN87!P
M<SL@:71S("UP;W-T8V]M;6%N9"!O<'1I;VX@8V%U<V5S('1H92!S8W)I<'0@
M(F9I;&Q!<'!S365N=2(@=&\@8F4@97AE8W5T960@96%C:"!T:6UE('1H92!S
M=6)M96YU(&ES('!O<W1E9"!O;B!T:&4@<V-R965N+B!&:6QL07!P<TUE;G4@
M:7,@82!48VP@<')O8V5D=7)E(&1E9FEN960@870@=&AE(&)O='1O;2!O9B!&
M:6=U<F4@,C8N-3L@:70@9&5L971E<R!A;GD@97AI<W1I;F<@96YT<FEE<R!I
M;B!T:&4@<W5B;65N=2P@97AT<F%C=',@=&AE(&YA;65S(&]F(&%L;"!A<'!L
M:6-A=&EO;G,@;VX@=&AE(&1I<W!L87D@=VET:"`B=VEN9F\@:6YT97)P<R(L
M(&%N9"!C<F5A=&5S(&]N92!E;G1R>2!I;B!T:&4@;65N=2!F;W(@96%C:"!A
M<'!L:6-A=&EO;B!N86UE+B!7:&5N(&]N92!O9B!T:&5S92!E;G1R:65S(&ES
M(&EN=F]K960@8GD@=&AE('5S97(L('1H92!P<F\@8V5D=7)E(&YE=T%P<"!W
M:6QL(&)E(&EN=F]K960@=VET:"!T:&4@87!P;&EC871I;VXG<R!N86UE(&%S
+(&%R9W5M96YT+@IK
`
end

then run
  fmt fmt.BUG.txt
This will give segmentation fault.

>Fix:
	
	


>Release-Note:
>Audit-Trail:

From: "Danny J. Zerkel" <dzerkel@columbus.rr.com>
To: freebsd-gnats-submit@freebsd.org, grg@isabase.philol.msu.ru
Cc:  
Subject: Re: bin/12242: segmentation fault running /usr/bin/fmt
Date: Sat, 07 Aug 1999 23:05:51 -0400

 Grigoriy,
 
 Doing math on null pointers, sounds bad to me...  This only was a
 problem if the first line was longer than the default buffer size of
 1024.  Of course, fmt does nothing to this file since it is only one
 line and starts with '.'.  This patch will at least keep it from dumping
 core.
 
 --- /usr/src/usr.bin/fmt/fmt.c.orig     Tue Sep 30 15:42:05 1997
 +++ /usr/src/usr.bin/fmt/fmt.c  Sat Aug  7 22:40:31 1999
 @@ -450,7 +450,8 @@
                 outbuf = realloc(outbuf, outbuf_size);
                 if (outbuf == 0)
                         abort();
 -               outp += outbuf-old_outbuf;
 +               if (outp != NOSTR)
 +                       outp += outbuf-old_outbuf;
         }
  
         if (outp == NOSTR)
 
 -- Danny J. Zerkel
 dzerkel@columbus.rr.com
 

From: Anatoly Vorobey <mellon@pobox.com>
To: dzerkel@columbus.rr.com, freebsd-gnats-submit@freebsd.org,
	grg@isabase.philol.msu.ru
Cc:  
Subject: bin/12242 : segmentation fault running /usr/bin/fmt
Date: Sun, 2 Apr 2000 07:05:22 +0200

 > From: "Danny J. Zerkel" <dzerkel@columbus.rr.com>
 > Subject: Re: bin/12242: segmentation fault running /usr/bin/fmt
 > Date: Sat, 07 Aug 1999 23:05:51 -0400
 > 
 >  Doing math on null pointers, sounds bad to me...  This only was a
 >  problem if the first line was longer than the default buffer size of
 >  1024.  Of course, fmt does nothing to this file since it is only one
 >  line and starts with '.'.  This patch will at least keep it from dumping
 >  core.
 
 >  
 >  --- /usr/src/usr.bin/fmt/fmt.c.orig     Tue Sep 30 15:42:05 1997
 >  +++ /usr/src/usr.bin/fmt/fmt.c  Sat Aug  7 22:40:31 1999
 >  @@ -450,7 +450,8 @@
 >                  outbuf = realloc(outbuf, outbuf_size);
 >                  if (outbuf == 0)
 >                          abort();
 >  -               outp += outbuf-old_outbuf;
 >  +               if (outp != NOSTR)
 >  +                       outp += outbuf-old_outbuf;
 
 This will work, but isn't standard C (outbuf-old_outbuf is not good). Perhaps
 the following is better. Maybe someone could review/commit this? I've
 verified this solves the problem.
 
 --- fmt.c.orig  Sat Aug 28 01:01:18 1999
 +++ fmt.c       Sun Apr  2 07:06:04 2000
 @@ -450,7 +450,8 @@
                 outbuf = realloc(outbuf, outbuf_size);
                 if (outbuf == 0)
                         abort();
 -               outp += outbuf-old_outbuf;
 +               if (outp != NOSTR)
 +                       outp = outbuf + (outp - old_outbuf);
         }
 
 -- 
 Anatoly Vorobey,
 mellon@pobox.com http://pobox.com/~mellon/
 "Angels can fly because they take themselves lightly" - G.K.Chesterton
 

From: Anatoly Vorobey <mellon@pobox.com>
To: Bruce Evans <bde@zeta.org.au>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/12242 : segmentation fault running /usr/bin/fmt
Date: Sun, 2 Apr 2000 13:59:15 +0000

 On Sun, Apr 02, 2000 at 09:01:26PM +1000, Bruce Evans wrote:
 > 
 > This breaks the (outp == NOSTR) case,
 
 This case should never have been there in the first place. How about
 replacing outp==NOSTR by outp==outbuf throughout? Also the lines
 
 > 	s = (outp == NOSTR) ? 0 : outp - outbuf;
 > 	if (s + wl >= outbuf_size) {
 > 		outbuf_size *= 2;
 > 		outbuf = realloc(outbuf, outbuf_size);
 
 are somewhat funny since who said outbuf_size*2 is big enough to hold
 s + wl chars? 
 
 Here's the patch. Tested, appears to work fine. 
 
 --- fmt.c.orig  Sat Aug 28 01:01:18 1999
 +++ fmt.c       Sun Apr  2 13:50:58 2000
 @@ -65,7 +65,6 @@
  /* LIZ@UOM 6/18/85 -- Don't need LENGTH any more.
   * #define     LENGTH  72              Max line length in output
   */
 -#define        NOSTR   ((char *) 0)    /* Null string pointer for lint */
  
  /* LIZ@UOM 6/18/85 --New variables goal_length and max_length */
  #define GOAL_LENGTH 65
 @@ -395,9 +394,9 @@
   * Build up line images from the words passed in.  Prefix
   * each line with correct number of blanks.  The buffer "outbuf"
   * contains the current partial line image, including prefixed blanks.
 - * "outp" points to the next available space therein.  When outp is NOSTR,
 + * "outp" points to the next available space therein.  When outp==outbuf,
   * there ain't nothing in there yet.  At the bottom of this whole mess,
 - * leading tabs are reinserted.
 + * leading spaces are reinserted.
   */
  char   *outbuf;                        /* Sandbagged output line image */
  char   *outp;                          /* Pointer in above */
 @@ -413,7 +412,7 @@
         if (outbuf == 0)
                 abort();
         outbuf_size = BUFSIZ;
 -       outp = NOSTR;
 +       outp = outbuf;
  }
  
  /*
 @@ -443,17 +442,18 @@
  {
         register char *cp;
         register int s, t;
 -
 -       if (((outp==NOSTR) ? wl : outp-outbuf + wl) >= outbuf_size) {
 -               char *old_outbuf = outbuf;
 -               outbuf_size *= 2;
 +        
 +       s = outp-outbuf;
 + 
 +       if (s + wl >= outbuf_size) {
 +               outbuf_size = s + wl + 17;    /* clever heuristics */
                 outbuf = realloc(outbuf, outbuf_size);
                 if (outbuf == 0)
                         abort();
 -               outp += outbuf-old_outbuf;
 +               outp = outbuf + s;
         }
  
 -       if (outp == NOSTR)
 +       if (outp == outbuf)
                 leadin();
         /*
          * LIZ@UOM 6/18/85 -- change condition to check goal_length; s is the
 @@ -487,11 +487,11 @@
  void
  oflush()
  {
 -       if (outp == NOSTR)
 +       if (outp == outbuf)
                 return;
         *outp = '\0';
         tabulate(outbuf);
 -       outp = NOSTR;
 +       outp = outbuf;
  }
  
  /*
 @@ -561,7 +561,7 @@
         register char *top;
  
         top = malloc(strlen(str) + 1);
 -       if (top == NOSTR)
 +       if (top == 0)
                 errx(1, "ran out of memory");
         strcpy(top, str);
         return (top);
 
 
 -- 
 Anatoly Vorobey,
 mellon@pobox.com http://pobox.com/~mellon/
 "Angels can fly because they take themselves lightly" - G.K.Chesterton
 
State-Changed-From-To: open->closed 
State-Changed-By: ru 
State-Changed-When: Wed Jun 6 03:18:58 PDT 2001 
State-Changed-Why:  
This bug is not present in the new version of the fmt(1) utility. 
This utility will be MFCed into RELENG_4 branch within two weeks. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=12242 
>Unformatted:
